It was the Christmas of 1981 that I received my first computer; a Sinclair ZX81.
It’s been over 25 years since I started using Wordstar and dBase on CP/M running on TeleVideo TS802 and later TS803 machines.
Since then it’s been a downward spiral; through multiple BBC/Acorn machines; then 8086, 80286, 80386sx, 486, Pentium and beyond PCs.
I’ve been working with the next version of ZENworks all week; and for several reasons I needed to clear up my MSI database on several Windows machines.
Here’s a cool tool from Microsoft that makes it easy. The Windows Installer CleanUp Utility.
Update time again – this time for another security issue.
Here’s the mail from wp-testers:
http://wordpress.org/beta/wordpress-2.0.6-RC2.zip
http://wordpress.org/beta/wordpress-2.0.6-RC2.tar.gzRC2 addresses the following vulnerability.
http://seclists.org/fulldisclosure/2006/Dec/0463.htmlWe also changed how we escape HTML attributes. Escaping is done with a new
attribute_escape() function.http://trac.wordpress.org/changeset/4656
This touched a lot of files so we need to do some broad testing to make sure we didn’t fat finger anything.
Should be GA soon; advisable to upgrade.
I wrote about moving my primary mail server to SLES 10 and Netmail 3.5.2 a month ago.
Everything has been working really well – great uptime, better performance, another box moved to SLES 10..
Except for one little thing. Grania has been commenting that some of her email is missing.
Well – it’s not been in the inbound SpamAssassin kill files; it’s not stuck on the mail server; there are no errors with connectivity; no problems with DNS or MX records. The mail has been from all over – so it’s not someone like Yahoo being picky. Also normal mail has been coming in fine – so we’ve not been blackholed.
Tonight I decided to hunt down the problem.
It was me. I missed one step for the migration of mail; to use Netmail rules and forwarding the AutoReply agent needs creating and configuring.
The AutoReply Agent also enables users to forward their messages to another e-mail address. Users can specify if they want to retain a copy of the message in their NetMail mailbox or forward the message to the designated address.
Ooops. I missed that one. Three mouse clicks later and everything is back to normal.
I just trawled the aliases and there were over 400 mails to forward to the real mailboxes.
Back in full form with ‘The Life Pursuit’. First chance I’ve had to listen to it (baby and all that). “Another Sunny Day” is especially good.
Fun fun fun – server consolidation time.
Dell P4, 2GB RAM, 1TB storage (4x 300GB SATA RAID 5)
Install SLES 10, no GUI, runlevel 3 only. Disable pretty much everything not needed.
I chose ext3 for /, xfs for my NAS filesystem; I’ve had good results using xfs – reliability and performance.
Next optimisation of the filesystem:
#/etc/sysctl.conf
# Reduces the amount of work the TCP stack does.
net.ipv4.tcp_sack = 0
# The number of inodes (fs.inode-nr) available to the Linux kernel should be 3-4 times
# greater than the fs.file-max parameter
fs.inode-nr = 128000
# Maximum number of file handles that can open at a given time (default=4096)
fs.file-max = 64000
Apply the configuration and reboot:
chkconfig boot.sysctl on
Install Kerberos Client libraries. This can be done from YAST or the ZENworks updater. The basic modules needed are:
Install the SAMBA pieces:
Next configuration of SAMBA and the Kerberos environment; I found that using YAST wouldn’t let me set this up correctly. The two files are /etc/krb5.conf and /etc/samba/smb.conf
Note that krb5.conf expects everything AD related in upper case. Took me a few tries to realise that.
I’ve cleansed the real information – for the record there is no AD infrastructure at evilzenscientist.com – it’s just illustrative.
Active Directory server: 192.68.0.16, EZS-KDC
Active Directory tree: ezs-ad.evilzenscientist.com
Active Directory ‘domain’: EZS-AD
#/etc/krb5.conf
[libdefaults]
default_realm = EVILZENSCIENTIST.COM
clockskew = 300[realms]
EVILZENSCIENTIST.COM = {
kdc = 192.168.0.16
default_domain = EZS-AD
admin_server = 192.168.0.16
}[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
[domain_realm]
.EZS-AD = EVILZENSCIENTIST.COM
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
try_first_pass = true
}
Next is the SAMBA configuration /etc/samba/smb.conf
#/etc/samba/smb.conf
[global]
workgroup = EZS-AD
realm = EZS-AD.EVILZENSCIENTIST.COM
password server = EZS-KDC.EZS-AD.EVILZENSCIENTIST.COM
security = ADS
encrypt passwords = yes
server string = %h SAMBA %v SLES 10winbind separator = +
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes[data]
comment = data
read only = no
path = /data
user = @”EZS-AD+domain users”
Next is the Active Directory authentication configuration.
Edit /etc/nsswitch.conf – and make sure that these lines are present:
#/etc/nsswitch.conf
passwd: compat winbind
group: compat winbind
Reboot and then test the Kerberos implementation:
Test the Kerberos implementation:
This should prompt for a password and return no errors. Note that time sync between the client and the AD KDC server needs to be pretty tight. Look at using NTP.
Join the server to the AD domain:
net ads join
Using short domain name — EZS-AD
Joined ‘EZS-NAS’ to realm ‘EZS-AD.EVILZENSCIENTIST.COM’
There are some testing steps; look at the getent tool:
getent passwd
getent groups
These should return users and groups from the AD world.
That’s it for now; I’m the happy owner of a good, fast NAS box that is integrated into my Active Directory.
For the record – I have found that SLES 10 + SAMBA is about 30% faster than a Windows 2003 server on the same hardware. Cheaper and Faster – now that’s a result.
Recent Comments